** Description changed: [Impact] When tunnels are configured over IPv6 using a xfrm policy, it's ignored. That means data will be unencrypted when it shouldn't. [Test case] + Launch a VM with the given kernel and monitor its network link on the host with: + tcpdump -n -i virbr0 ip6 and port 4789 + + In the guest, set up a tunnel using an IPv6 address: + ip link add type vxlan id 5 remote fd00:cafe::2 dstport 4789 + + When setting the link up, observe packets being output on the host side: + ip link set vxlan0 up + + Set the link down, and add a xfrm policy to block output to that given IPv6 address: + ip link set vxlan0 down + ip xfrm policy add dst fd00:cafe::2 dir out action block + + Check that using ping won't work with Operation not permitted: + ping6 fd00:cafe::2 + connect: Operation not permitted + + Set the vxlan link up and watch that no packets appear on tcpdump: + ip link set vxlan0 up + [Regression potential] Tunnels like VXLAN, GENEVE, etc, will stop to send. The test has shown that it still sends at least when no xfrm policy is configured.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1876982 Title: tunnels over IPv6 are unencrypted when using IPsec To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1876982/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
